The increasing digitalization of power grids has introduced cyber security vulnerabilities. One of the vulnerabilities is related to the IEC 61850 Generic Object Oriented Substation Event (GOOSE) protocol for time-critical communication between Intelligent Electronic Devices (IEDs). This protocol lacks built-in message integrity and authentication mechanisms, making it susceptible to cyber attacks, e.g., spoofing. To address these vulnerabilities, IEC 62351-6:2020 recommends the usage of a Hash-based Message Authentication Code (HMAC). However, implementing this security measure in existing brownfield digital substations is challenging due to the lack of compatible commercial devices and is economically expensive. Therefore, this research proposes and evaluates a cost-effective cyber security enhancement using commodity hardware, e.g., Raspberry Pi, to implement HMAC-based message authentication for ensuring GOOSE message integrity and authentication in brownfield digital substations with respect to stringent time requirements for the operation of protective relays. The proposed solution ensures message integrity and authentication while maintaining compliance with standard requirements. Validation is performed using real commercial IEDs in a real-time Hardware-in-the-Loop (HIL) architecture, demonstrating that the solution meets substation time requirements. This approach provides a feasible and immediate cyber security enhancement for brownfield digital substations without requiring significant infrastructure changes.

Digital substations, which replace traditional analog infrastructure, are essential to power grid operation but are facing growing vulnerability to cyber attacks. Existing anomaly detection in substation communication requires labeled datasets for supervised training and fails to incorporate temporal characteristics, which cannot detect unknown persistent attacks. Setting arbitrary thresholds for outlier detection leads to high false positives and low detection rates. This paper addresses cyber security challenges related to IEC 61850 Generic Object Oriented Substation Event (GOOSE) protocol within digital substations. We propose a novel unsupervised Transformer-based Distribution Fitting Anomaly Detection (TF-DiFAD) method for time series GOOSE frames with a robust thresholding technique. Deep packet inspection is used to extract features from GOOSE frames, which are processed through the proposed TF-DiFAD model. TF-DiFAD combines the deep learning transformer model with statistical distribution fitting techniques to accurately detect anomalous GOOSE frames. Specifically, reconstruction errors are generated using a state-of-the-art transformer model. A novel model-agnostic solution is applied for setting anomaly thresholds and calculating anomaly probabilities. The Kolmogorov-Smirnov test is employed to select the best-fitting distribution for these errors. TF-DiFAD is benchmarked against other state-of-the-art models using two distinct test datasets, demonstrating superior performance. The results indicate that TF-DiFAD detects anomalies with Receiver Operating Characteristics Area Under Curve (ROC AUC) scores of 96.84% and 95.73% respectively for both datasets.

Cyber attacks on power grids are imminent and potentially have a severe impact, as evidenced by the cyber attacks in Ukraine in 2015, 2016, and 2022. In response to this challenge, machine learning-based Intrusion Detection Systems (IDS) have become more prevalent as a potential mitigation owing to their alignment with the latest advances in artificial intelligence. However, existing anomaly detection methods for power grid Operational Technology (OT) are often inadequate, as they primarily focus on detecting power grid physical anomalies at the later attack stages and suffer from the scarcity of available data for supervised machine learning. To address these limitations, we propose a novel semi-supervised IDS specifically for digital substations of the power system. The proposed detection method identifies the distinctive distance similarity of digital substation OT communication traffic using a Convolutional Neural Network and Chebyshev distance of packet payloads, and Kolmogorov-Smirnov of packets’ interarrival time using Fast Fourier Transform amplitude. Subsequently, these traffic features are combined into a vector and classified using a novel hybrid semi-supervised Self-Organizing Map (SOM) and Density-Based Spatial Clustering of Applications with Noise (DBSCAN). Results indicate that the proposed method can identify zero-day attacks and achieve accuracy and F1 above 95%.

The increasing digitalization of Cyber-Physical Power Systems (CPPS) has enhanced power system operation and control but has also expanded the attack surface for cyber threats. Detection of early-stage attacks such as reconnaissance and Denial-of-Service (DoS) is critical to prevent power system-wide disruptions. Centralized Machine Learning (ML)-based techniques have been proposed for detecting cyber attacks. However, they struggle to ensure data privacy. Federated Learning (FL) can address this issue through collaborative model training without raw data sharing. Yet, FL’s performance degrades under non-Independent and Identically Distributed (non-IID) data, a common scenario in real-world CPPS environments. In this paper, we propose a cluster-based FL method using Bidirectional Long Short-Term Memory (BiLSTM) for attack detection at the early stages of the cyber kill chain. It uses unsupervised clustering of client model updates for aggregation robustness and model generalization across heterogeneous clients. By grouping clients based on similarity in model updates, our method mitigates the adverse effects of data heterogeneity while preserving data privacy. The UNSW-NB15 dataset is used for distributed training under non-IID conditions and evaluation of the proposed method. Experimental results demonstrate that our cluster-based FL method achieves over 95% detection accuracy, proving its effectiveness in distributed cyber attacks detection in power systems.

Mitigation strategies to absorb impacts from extreme events that may trigger cascading outages are crucial for modern power systems, particularly given the increasing penetration of power electronics, thereby enhancing system resilience. This paper presents a comprehensive resilience-centered framework that integrates cyber-physical cascading mitigation through network topology reinforcement and operational strategies, specifically DC segmentation and controlled islanding, respectively. The methodology first identifies AC lines at segmentation boundaries (i.e., those that most frequently contribute to system partitioning) and evaluates the benefits of replacing them with VSC-HVDC links through dynamic cascading analysis and quantification, thereby enabling the asynchronous interconnection of segments. This approach helps confine cascading impacts within segments, significantly reducing the risk of widespread blackouts, especially in renewable-rich power grids with a heightened risk of instability. Next, to enhance operational resilience against cascading failures, controlled islanding is implemented within the DC-segmented system undergoing cascade initiation, effectively further confining cascading stress to a limited area around the origin of the initiating events. Tailored to enhance resilience in hybrid AC/DC power grids against cyber and physical cascade triggering events, the method leverages a cyber-anomaly detection technique to identify elements affected by fabricated protection trip commands and measurement replay attacks, distinguishing cyberattacks from physical disturbances. Implemented in the IEEE 39-bus and 118-bus test systems with dynamic cascading failure modeling that fully captures voltage and frequency transients in system response, the method demonstrates improvements of up to 88 % and 97 % in served demand, respectively, highlighting its effectiveness in mitigating cascading impacts and enhancing system resilience.

The Digital Twins (DT) have emerged as the technology that provides capabilities to simulate and analyze cyber-physical systems’ behaviors using digital replicas. This is achieved through high-fidelity digital models, bi-directional communication and (near) real-time data exchange between physical real-world systems and DTs. Despite its capabilities of facilitating real-time monitoring, optimization, and predicting system performance, effectively leveraging DT for power system applications requires integrating data from heterogeneous sources and addressing various data related aspects. These include data modeling, exchange and interoperability. One promising concept to address these aspects is that of data federation which promotes interoperability, allowing DTs to operate autonomously, yet interact seamlessly. While various studies in literature have addressed DT applications, technologies, and challenges, a comprehensive review on the data federation aspects within power systems still needs to be investigated. This research seeks to bridge this gap by providing an in-depth review of DT practices in academia and industry, functional and non-functional requirements, and enabling technologies, with emphasis on data federation. Its role in enhancing system-wide interoperability in the power system, along with associated challenges are summarized and discussed.

This paper elaborates on an extensive security framework specifically designed for energy management systems (EMSs), which effectively tackles the dynamic environment of cybersecurity vulnerabilities and/or system problems (SPs), accomplished through the incorporation of novel methodologies. A comprehensive multi-point attack/error model is initially proposed to systematically identify vulnerabilities throughout the entire EMS data processing pipeline, including post state estimation (SE) stealth attacks, EMS database manipulation, and human-machine interface (HMI) display corruption according to the real-time database (RTDB) storage. This framework acknowledges the interconnected nature of modern attack vectors, which utilize various phases of supervisory control and data acquisition (SCADA) data flow. Then, generative artificial intelligence (GenAI)-based anomaly detection systems (ADSs) for EMSs are proposed for the first time in the power system domain to handle the scenarios. Further, a set-of-mark generative intelligence (SoM-GI) framework, which leverages multimodal analysis by integrating visual markers with rules considering the GenAI capabilities, is suggested to overcome inherent spatial reasoning limitations. The SoM-GI methodology employs systematic visual indicators to enable accurate interpretation of segmented HMI displays and detect visual anomalies that numerical methods fail to identify. Validation on the IEEE 14-Bus system shows the framework’s effectiveness across scenarios, while visual analysis identifies inconsistencies. This integrated approach combines numerical analysis with visual pattern recognition and linguistic rules to protect against cyber threats and system errors.

Digitalization is paving the way toward enhanced power grid operational capabilities and intelligence. The increased digitalization, however, also implies a greater risk of cyber vulnerabilities and threats. Therefore, various power systems facets such as transmission and distribution systems, digital substations, control centers, and wide-area communication networks are vulnerable to cyber-attacks. The most notable cyber-attacks on power grids are the twin attacks on the Ukrainian power grid in 2015 and 2016. These incidents clearly highlighted that cyber-attacks on power grids are an imminent threat that needs to be addressed. Keeping this in mind, this chapter provides essential knowledge of cyber-attack mitigation for cyber-physical power systems, i.e., secure communication protocols for operational technologies, penetration testing using cyber ranges and cyber-physical co-simulation, security controls, and intrusion detection and prevention systems. Among the wide-scope mitigation, artificial intelligence is highlighted as an emerging solution. This chapter presents how hybrid deep learning based on graph convolutional long short-term memory is used for anomaly detection in power system operational technology (OT) networks. Unlike traditional signature and supervised learning-based intrusion detection, the hybrid deep learning anomaly detection utilizes the OT traffic throughput. It takes advantage of the OT traffic’s deterministic and homogenous characteristics to provide a robust and flexible anomaly detection for a wide scope of cyber-attacks. The traffic anomalies are incorporated into an attack graph that aids power system operators identify and localize anomalies of active attacks on power systems in near real time. Cyber-attack case studies and cyber-physical co-simulation results are provided to demonstrate the efficiency of hybrid deep learning for anomaly detection.

Power grids are undergoing a fast-paced process of digitalization for enhanced monitoring and control capabilities and grid intelligence. However, the increased integration of digital technologies, such as the next generation of operational technologies (OTs) and digital substations, implies a new risk as information technology (IT)-OT systems are vulnerable to cyberattacks. Furthermore, the combination of heterogeneous, co-existing smart and legacy technologies generates significant vulnerabilities and security challenges. Examples of cybersecurity incidents related to power grids already exist around the world. On December 23, 2015, cyberattacks were conducted on the power grid in Ukraine that resulted in power outages, which affected 225,000 customers. More sophisticated cyberattacks on the Ukrainian power grid followed on December 17, 2016, resulting in a power outage in the distribution network where 200 MW of load was unsupplied. The complexity of cyberattacks on power systems is likely to increase. This chapter provides the state-of-the-art and essential knowledge of threats and cyberattacks on power systems. This chapter reviews major cyberattacks on power grids and industrial control systems. A detailed taxonomy of cyberattacks is provided. Power grid vulnerability to six main types of cyberattacks is discussed, that is, phishing, malware, network-based attacks, man-in-the-middle attacks, host-based attacks, and denial of service. The impact of cyberattacks on grid operation is analyzed in terms of loss of load, cascading effects, and equipment damage. A case study of a cyberattack scenario and simulation results are provided.

Virtualization in digital substations is a rising trend in the power sector, opening up interesting research avenues. The virtualization of intelligent electronic devices (IEDs) is thought to enable more flexible and agile cybersecurity software updates and patching processes while seamlessly integrating with current physical IEDs. However, no studies have yet considered a general cybersecurity assessment for such novel hybrid systems. To fill this gap, a systematic cybersecurity assessment of a digital substation composed of hybrid (virtual and physical) IEDs is presented in this paper. A testbed was developed to assess the different attack vectors with a focus on targeting virtual machines (resource exhaustion) and injection attacks on IEC 61850-compliant communication streams. A hybrid protection selectivity use case was successfully demonstrated with multiple targeted cyber attacks on the testbed where the non-attacked IED successfully cleared the grid fault. The attacks’ impacts ranged from minor to major effects on the IEDs’ tripping signals (and eventually circuit breaker actions) including forced signal delays, signal latching, and signal drops. The results of this study highlight the importance of providing a proper cybersecurity by design strategy for integrating hybrid substation systems with virtualization technologies.

As a part of energy transition, the shift from internal combustion engines (ICEs) to electric vehicles (EVs) has accelerated the development of the EV charging infrastructure (EVCI). EVCI rely heavily on information and communication technologies (ICTs) and the Internet of Things (IoT). As a result, the susceptibility to cyber attacks increases. However, although EVCI are strongly intertwined with cyber-physical power systems (CPPSs), the consequences of such a cyber attack on the power grid are not widely researched. In this paper, we present a comprehensive cyber-physical system architecture of the EV charging infrastructure based on the industry practice in The Netherlands, which is applicable to European distribution systems. We present a survey of work on EVCI cyber security and CPPS resilience. We combine unique industrial insights with the academic state-of-the-art. We show that although cyber security of EVCI is researched, the state-of-the-art inadequately covers the consequences for CPPSs, especially distribution networks. We survey the current work on CPPS resilience and conclude that while cyber attacks are often recognized as high impact low probability (HILP) disturbances of CPPSs, the resilience-related research on cyber attacks on EVCI is lacking. Therefore, we present a novel method to model the stochastic EV charging behaviour based on probability density functions (PDFs). We validate the method using PowerFactory models of distribution networks supplied by a Dutch distribution system operator (DSO). We demonstrate the effects of cyber attacks on EVCI on distribution networks voltages. Under the investigated operational scenario, the impact is not significant. However the results do underline the importance of researching cyber attacks on EVCI from a CPPS resilience perspective. Research into future scenarios of energy transition is essential for future resilient operation of power grids.

Cascading failures in power systems are extremely rare occurrences caused by a combination of multiple, low probability events. The looming threat of cyberattacks on power grids, however, may result in unprecedented large-scale cascading failures, leading to a blackout. Therefore, new analysis methods are needed to study such cyber induced phenomena. In this article, we propose a data-driven method for dynamical analysis of power system cascading failures caused by cyberattacks. We provide experimental proof on how attacks may accelerate the cascading failure mechanism, in comparison to historically observed blackouts. Using a dynamic power grid model, consisting of multiple, coordinated protection schemes, we define and analyze the point of no return in a cascading failure sequence by applying the Hilbert-Huang transform for time-frequency analysis. Numerical results indicate, cyberattacks may accelerate cascading failures at least by a factor of 3x. This is due to the excitation and non-damping of multiple frequency modes greater than 1 Hz in a short time span. The proposed method is tested using time domain simulations conducted through a modified IEEE 39-bus test system, which can simulate cascading outages using coordinated protection schemes.

This article implements and validates the performance of a virtual intelligent electronic device (vIED) framework for digital substations using a real-time (RT) simulation environment. The work looks toward the future design of protection, automation, and control systems, an evolution of the digital substation design based on IEC 61850 and virtualization technology. An RT simulation setup was developed to speed up and enhance the deployment and maintenance of vIEDs with a novel well-defined test methodology. Several scenarios were tested by varying the number of vIEDs and relevant (communication, scalability, and functionality) configuration criteria. In addition, we assessed the efficiency of a software-defined communication network for the vIED framework and its adaptability to dynamic scaling of the network under transient data traffic loads. The tests demonstrated the efficient performance of vIEDs across various system configurations, particularly for requirements on the response time and network transfer latency. The findings showcase the significance of proper design and testing methodology that can be benchmarked against other virtualization platforms for substation systems.

Electrical power grids are vulnerable to cyber attacks, as seen in Ukraine in 2015, 2016, and 2022. These cyber attacks are classified as Advanced Persistent Threats (APTs) with potential disastrous consequences such as a total blackout. However, state-of-the-art intrusion detection systems are inadequate for APT detection owing to their stealthy nature and long-lasting persistence. Furthermore, they are ineffective as they focus on individual anomaly instances and overlook the correlation between attack instances. Therefore, this research proposes a novel method for spatio-temporal APT detection and correlation for cyber-physical power systems. It provides online situational awareness for power system operators to pinpoint system-wide anomaly locations in near real-time and preemptively mitigate APTs at an early stage before causing adverse impacts. We propose an Enhanced Graph Convolutional Long Short-Term Memory (EGC-LSTM) by using sequential and neural network filters to improve APT detection, correlation, and prediction. Control center and substation communication traffic is used to determine cyber anomalies using semi-supervised deep packet inspection and software-defined networking. Power grid circuit breaker status is used to determine physical anomalies. Cyber-physical anomalies are correlated in cyber-physical system integration matrix and EGC-LSTM. The EGC-LSTM outperforms existing state-of-the-art spatio-temporal deep learning models, achieving the lowest mean square error.

Power grid digitalization introduces new vulnerabilities and cyber security threats. The impact of cyber attacks on power system stability is a topic of growing concern, which is yet to be comprehensively analyzed. Traditional power system stability analysis is based on the impact of non-malicious small, and large physical disturbances. However, cyber attacks introduce a new dimension to power system stability, in which malicious cyber actors can selectively target critical systems and applications and cause severe stability issues. Hence, in this work, the traditional disturbances considered in power system stability classification are expanded from physical to cyber-physical disturbances caused by cyber attacks. Based on a thorough state-of-the-art, an analysis of how cyber attacks can translate into physical disturbances affecting the traditional power system stability categories is performed. The system stability analysis is expanded by mapping the power system stability categories with the defined cyber-physical attack types. The findings of this work showcase the importance of cyber security for power system stability.

The increasing risk of cyber-physical attacks (CPAs) on power infrastructure has led to need for reliable detection technologies. As the landscape of cyber threats evolves, it becomes imperative to continually update and enhance attack detection techniques. This research investigates the formulation of detection algorithm, via combination of State Partition Particle Filter (SP-PF) theories for power system security. The proposed approach applies intelligent partitioning of the state space so as to be accurately represented with fewer particles. This reduction in computational demand enhances the algorithm’s efficiency, making it more practical for real-time applications. The detection algorithm based on SP-PF is tested against switching attacks (SAs) launched on the governor and excitation systems associated with the generator. The RTDS platform is utilized for conducting real-time simulations of IEEE 9-bus power network in order to demonstrate the efficacy of proposed SP-PF based detection SA in real-time.

Cyber actors can target the unsecured IEC 61850 protocols in digital substations to open circuit breakers and affect the power system operation. Thus, system operators must detect cyber-physical anomalies and differentiate in real-time between power system faults and cyber attacks on digital substations for effective incident response. In this work, we propose a novel image encoding method for event correlation using cyber-physical time-series data, i.e., Phasor Measurement Units (PMUs) and Operational Technology (OT) network traffic. More specifically, we propose a dynamic variation of the Gramian Angular Field method, which generates image streams capturing in real-time the spatial-temporal features in PMU measurements and IEC 61850 GOOSE traffic throughput. The proposed method for cyber-physical event correlation uses an image fusion technique. The method is tested using the benchmark IEEE 9-bus system. It successfully distinguishes between three-phase faults and GOOSE cyber attacks, demonstrating its usefulness for power system cyber security analytics.

Cyber-physical power systems are susceptible to cyber threats and attacks that can lead to cascading failures and widespread power outages. Therefore, mitigating the impact of such attacks requires the timely implementation of operational strategies to prevent cascading blackouts. One Such strategy is the controlled islanding of the affected power grid, serving as a last resort against the propagation of the cascading outages. In this context, this paper introduces a novel detection-informed operational mitigation strategy, i.e., controlled islanding, against cyberattack-induced cascading failures, addressing 'when' and 'where' to implement controlled islanding. The proposed strategy leverages dynamic cascading failure modeling to quantify the impact of ongoing cyberattacks on power grids, using quantitative metrics such as demand-not-served (DNS). For effective operational mitigation, the strategy initiates controlled islanding when any attack, including fabricated protection trip commands and measurements' replay attacks, are detected, and any operating limits, such as line loading, are violated. It then proceeds to the implementation of controlled islanding, where identified cyberattack-affected elements are effectively surrounded by stable and self-sufficient islanded areas, while minimizing the system DNS. Numerical results on the IEEE 39-bus system demonstrate the effectiveness of the proposed strategy, reducing the DNS value by up to 47% when the controlled islanding strategy is implemented.

Cyber security risks are emerging in Cyber-Physical power Systems (CPS) due to the increasing integration of cyber and physical infrastructures. Critical component identification is a crucial task for the mitigation and prevention of catastrophic blackouts. In this paper, we propose a novel method using graph data mining for critical CPS components identification named GraphCCI. First, it defines two categories of component correlations to reveal the cascading features of CPS. GraphCCI maps cascading failure datasets under time-varying operational states into weighted cascading graphs and constructs a graph database for graph data mining. By adopting graph data mining techniques, frequent subgraphs are identified to construct the Cascading Characteristics Graph (CC-Graph). Finally, the Node Criticality Index (NC-Index) is proposed to quantify the criticality of each CPS component. The experimental results on the IEEE 39-bus system verify the effectiveness of the proposed method and present an in-depth analysis of the CPS cascading features.

High Voltage Direct Current (HVDC) technology is one of the key enablers of the energy transition, especially for offshore wind energy systems. While extensive research on cyber security of High Voltage Alternating Current (HVAC) systems has been conducted, limited research exists on cyber security aspects of HVDC systems. These systems exhibit unique attributes, in comparison to HVAC systems, such as longer transmission line distances and increased volume of data samples for wide-area monitoring, control, and protection applications. These factors lead to a higher vulnerability of HVDC systems to cyber attacks. Existing state-of-the-art HVDC surveys, however, are primarily focused on HVDC physical components and exclude cyber security elements. Therefore, this paper presents the first detailed survey on the cyber security of HVDC Cyber-Physical Systems (CPS). We present a comprehensive review of the state-of-the-art HVDC systems, with a special focus on cyber threats and vulnerabilities, defense and mitigation strategies, and testbeds. Based on the review and analysis, insights and recommendations on future research directions to address the research gaps in this field of study are provided. Future research on cyber security for HVDC systems should prioritize the integration of cyber and physical system data and focus on early-stage detection to mitigate the potentially severe impacts of cyber attacks on HVDC grids.